DNS sslip Corrections
Issue: Nextcloud OIDC login returns “Could not reach the OpenID Connect provider”
Symptom: Visiting https://nextcloud.192.168.0.215.sslip.io/apps/user_oidc/login/1 returns HTTP 404 with the error page: “Could not reach the OpenID Connect provider.”
Root Cause
Two issues in Nextcloud’s HTTP client configuration that blocked outbound requests to the Keycloak OIDC provider at id.192.168.0.215.sslip.io:
Nextcloud DNS pinning (local address restriction): CoreDNS rewrites
*.192.168.0.215.sslip.ioto the NGINX ingress controller’s ClusterIP (10.110.37.102). Nextcloud’sDnsPinMiddleware(lib/private/Http/Client/DnsPinMiddleware.php:139) blocks HTTP requests to private/local IPs as an SSRF prevention measure, throwingOCP\Http\Client\LocalServerException: Host "10.110.37.102" (id.192.168.0.215.sslip.io:80) violates local access rules.Self-signed TLS certificate: The Keycloak ingress uses a self-signed TLS certificate generated by Helm. The user_oidc app’s
HttpClientHelperrejects it by default.
Changes applied
Ran inside the Nextcloud pod (kubectl exec deploy/nextcloud -- php occ config:system:set ...):
| Setting | Value | Purpose |
|---|---|---|
allow_local_remote_servers | true | Bypasses DNS pinning for local addresses (allows HTTP requests to ClusterIPs) |
user_oidc.httpclient.allowselfsigned | true | Permits the user_oidc HTTP client to accept self-signed TLS certificates |
Verification
GET /apps/user_oidc/login/1returns HTTP 303 redirect to Keycloak authorization endpoint athttps://id.192.168.0.215.sslip.io/realms/mijnbureau/protocol/openid-connect/auth?...- Full login flow:
/→/login→/apps/user_oidc/login/1→ Keycloak auth → callback to/apps/user_oidc/code